Feature #21421 » 0003-Send-a-security-notification-when-a-user-s-password-.patch
| app/controllers/account_controller.rb | ||
|---|---|---|
| 73 | 73 |
@user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation] |
| 74 | 74 |
if @user.save |
| 75 | 75 |
@token.destroy |
| 76 |
Mailer.security_notification(@user, |
|
| 77 |
message: :mail_body_security_notification_change, |
|
| 78 |
field: :field_password, |
|
| 79 |
title: :button_change_password, |
|
| 80 |
url: {controller: 'my', action: 'password'}
|
|
| 81 |
).deliver |
|
| 76 | 82 |
flash[:notice] = l(:notice_account_password_updated) |
| 77 | 83 |
redirect_to signin_path |
| 78 | 84 |
return |
| app/controllers/my_controller.rb | ||
|---|---|---|
| 105 | 105 |
if @user.save |
| 106 | 106 |
# The session token was destroyed by the password change, generate a new one |
| 107 | 107 |
session[:tk] = @user.generate_session_token |
| 108 |
Mailer.security_notification(@user, |
|
| 109 |
message: :mail_body_security_notification_change, |
|
| 110 |
field: :field_password, |
|
| 111 |
title: :button_change_password, |
|
| 112 |
url: {controller: 'my', action: 'password'}
|
|
| 113 |
).deliver |
|
| 108 | 114 |
flash[:notice] = l(:notice_account_password_updated) |
| 109 | 115 |
redirect_to my_account_path |
| 110 | 116 |
end |
| test/functional/account_controller_test.rb | ||
|---|---|---|
| 372 | 372 |
end |
| 373 | 373 |
def test_post_lost_password_with_token_should_change_the_user_password |
| 374 |
ActionMailer::Base.deliveries.clear |
|
| 374 | 375 |
user = User.find(2) |
| 375 | 376 |
token = Token.create!(:action => 'recovery', :user => user) |
| ... | ... | |
| 380 | 381 |
user.reload |
| 381 | 382 |
assert user.check_password?('newpass123')
|
| 382 | 383 |
assert_nil Token.find_by_id(token.id), "Token was not deleted" |
| 384 |
assert_not_nil (mail = ActionMailer::Base.deliveries.last) |
|
| 385 |
assert_select_email do |
|
| 386 |
assert_select 'a[href^=?]', 'http://localhost:3000/my/password', :text => 'Change password' |
|
| 387 |
end |
|
| 383 | 388 |
end |
| 384 | 389 |
def test_post_lost_password_with_token_for_non_active_user_should_fail |
| test/functional/my_controller_test.rb | ||
|---|---|---|
| 193 | 193 |
assert_redirected_to '/my/account' |
| 194 | 194 |
end |
| 195 |
def test_change_password_should_send_security_notification |
|
| 196 |
ActionMailer::Base.deliveries.clear |
|
| 197 |
post :password, :password => 'jsmith', |
|
| 198 |
:new_password => 'secret123', |
|
| 199 |
:new_password_confirmation => 'secret123' |
|
| 200 | ||
| 201 |
assert_not_nil (mail = ActionMailer::Base.deliveries.last) |
|
| 202 |
assert_mail_body_no_match 'secret123', mail # just to be sure: pw should never be sent! |
|
| 203 |
assert_select_email do |
|
| 204 |
assert_select 'a[href^=?]', 'http://localhost:3000/my/password', :text => 'Change password' |
|
| 205 |
end |
|
| 206 |
end |
|
| 207 | ||
| 195 | 208 |
def test_page_layout |
| 196 | 209 |
get :page_layout |
| 197 | 210 |
assert_response :success |